There was also a message-length client auto or something like that too
for some versions of some Cisco HW, but if memory serves, the version
that introduced it is broken. :)
On 02/23/2011 04:54 PM, Warren Kumari wrote:
In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-l
In PIX versions 6.3.2 and below you had to do:
fixup protocol dns maximum-length 4096
In later versions you need:
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 4096
or to increase the response size length:
policy-map global_policy
class inspection_default
inspect
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A couple more gems:
https://www.dnssec-deployment.org/wp-content/uploads/2010/03/DNSSEC-CPE-Report.pdf
(really anything at dnssec-deployment.org)
There was another table that I found someplace and cannot find now that
listed Cisco PIX and mentioned w
istophercain.ca
>
>
>
>> -- Forwarded message --
>> From: Ryan Novosielski
>> To: bind-users@lists.isc.org
>> Date: Wed, 23 Feb 2011 11:39:41 -0500
>> Subject: Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
>> -BEGIN PGP SIGNED MESSAGE-
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Take a look at this. It is somewhat confusing, but it is helpful and
should tell you right away if you definitely have a firewall issue (and
frankly there's little else it could be).
https://www.dns-oarc.net/oarc/services/replysizetest
On 02/23/2011
Thanks, Mark,
Last June I asked our firewall person to make sure our firewall not
blocking DNS packets over 512 bytes. He told me our firewall was not
blocking. I guess that might be some default setting of the firewall
and he does not really know. I did two digs here one with +dnssec and
In message <0539E64AD2B54AD2804C2394F923800B@se179>, "Shaoquan Lin" writes:
> Mark,
>
> Are these bugs (2784 and 1804) fixed by BIND 9.6.1-P3? My problem is that I
> can not get A records of NSs (like vwall4a.nyc.gov) of nyc.gov from
> b.gov-servers.net by BIND 9.6.1-P3 but with no problem with
o set "tc"?
Thank you.
Shaoquan Lin
- Original Message -
From: "Mark Andrews"
To: "Shaoquan Lin"
Cc:
Sent: Saturday, February 19, 2011 6:08 AM
Subject: Re: [SOLVED] Re: BIND9 SERVFAIL on some .gov addresses
In message <17894D6D30484DDFBBE95BEF9
In message <17894D6D30484DDFBBE95BEF987FF5D1@se179>, "Shaoquan Lin" writes:
> Ryan,
>
> Have you solved your problem? I have similar problems. I run BIND =
> 9.6..1-P3 on my Solaris 10 and can not resolve anything in domain =
> nyc.gov. One thing I noticed is: BIND 9.3 send query to =
> b.gov-
Ryan,
Have you solved your problem? I have similar problems. I run BIND 9.6..1-P3 on
my Solaris 10 and can not resolve anything in domain nyc.gov. One thing I
noticed is: BIND 9.3 send query to b.gov-servers.net with no Additional
records and got a response with A records for the nyc.gov NS
max-udp-size controls what you send.
MAX(512, MIN(max-udp-size, client's UDP size))
edns-udp-size controls what you advertise you can receive.
MAX(512, MIN(edns-udp-size, server's UDP size))
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 98
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/11/2011 01:21 PM, Ryan Novosielski wrote:
> On 02/10/2011 04:19 PM, Chuck Swiger wrote:
>> On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
>>> health.nyc.gov query-errors:
>>>
>>> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
>>> 1
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/10/2011 04:19 PM, Chuck Swiger wrote:
> On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
>> health.nyc.gov query-errors:
>>
>> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
>> 130.219.34.129#55935: query failed (SERVFAIL) for health
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/10/2011 04:19 PM, Chuck Swiger wrote:
> The adberr count looks like it can only be incremented by two code sections
> in lib/dns/resolver.c:
>
> if (result != ISC_R_SUCCESS) {
> if (result == DNS_R_ALIAS) {
>
On Feb 10, 2011, at 12:39 PM, Ryan Novosielski wrote:
> health.nyc.gov query-errors:
>
> 10-Feb-2011 15:32:30.682 query-errors: debug 1: client
> 130.219.34.129#55935: query failed (SERVFAIL) for health.nyc.gov/IN/MX
> at query.c:4630
> 10-Feb-2011 15:32:30.682 query-errors: debug 2: fetch complet
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/10/2011 03:23 PM, Chuck Swiger wrote:
> On Feb 10, 2011, at 11:26 AM, Ryan Novosielski wrote:
>> dig: isc_socket_create: address family not supported
>>
>> I've read that I shouldn't let this error message lead me anywhere in
>> particular. Does
On Feb 10, 2011, at 11:26 AM, Ryan Novosielski wrote:
> dig: isc_socket_create: address family not supported
>
> I've read that I shouldn't let this error message lead me anywhere in
> particular. Does anyone have some advice for where to start
> troubleshooting?
The error message you mention is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
I am running into a problem with the Oracle Solaris-delivered BIND9
(BIND 9.6-ESV-R3) that I have running on four DNS servers. I have to
admit my BIND troubleshooting skills aren't what they could be, given
that the product normally "just wo
18 matches
Mail list logo
